Real World Computing
Ship of fools
I was chatting to some Redmondians a few days ago about Windows 7. It appears there's a move afoot to replace the Vista kernel with a new one, which I talked about in this column a few months ago. This in itself is interesting and I have great respect for the Windows Kernel team. But things get a little more foggy when you look a few layers higher at the real guts of the operating system. The word is that there's a big compatibility interface layer going on top in an attempt to improve things, and that doesn't sound quite right to me.
What I'd do is take the new kernel and bolt in Microsoft's HyperWee (I'm sorry, "Hyper-V") hypervisor, then have a Vista OS that boots into fully hardened mode, where no applications can either install or run unless they're digitally signed. No apps can run if they talk to the outside world, either, so no email clients, web browsers, IRC engines and so forth, and absolutely no server processes that serve data out onto the internet or intranet. I'd allow corporate applications to be run there, providing they've been installed and run by Softricity or some equivalent service, under the harsh glare of examination and management by the network administrators.
Then there'd be a second Vista OS image that allowed only "mostly trusted" applications, email being a good example if it has good back-end antispam and antivirus engines. These are apps that are probably benign in themselves, but whose data content you might not trust entirely. Office fits into this category quite nicely, given Microsoft's continuing reluctance to make digital signing of Office macros mandatory.
Finally, you'd have a Vista "Dirty Space" image in which everything else is run - games, web browsers and anything that's unsigned or has been downloaded from the internet. This session will almost certainly be self-cleaning, reverting to a frozen known-good image every time it quits and thus ensuring that nothing nasty can survive the disinfection process.
Naturally, this vision raises some technical problems. All the various sessions will need to be presented in a single, seamless desktop space, but this can already be done. Then there'd need to be some management of application state and data - there'd need to be multiple registries with their components locked down and read-only - but this is do-able, too. You'd also need to manage the filesystem state, but this, too, can be done. You'd end up with a truly hardened OS that used virtualisation technology to run all applications in strong boxes.
Is this likely to happen? No. The word is that the Windows 7 launch is being pushed closer in an attempt to get something out there with more appeal after the Vista Millennium Edition debacle. What are the key timescale issues to watch? Well, first I expect the availability of XP to system builders will be extended yet again, beyond this summer: let's put it to the end of the year at least. Then look forward to a drip-feed of leaks from Microsoft about how it's using Hyper-V in experimental form on the desktop and how this could bring radical new security and reliability enhancements to the desktop.
The problem for Microsoft is that those of us who want to do this sort of thing can, and are, already doing it: only a few machines in my network run without a hypervisor in place. And I can run those Windows images on any hardware platform I like. Which is why Microsoft's response to desktop hypervisor operation needs to be radical, brave and forthright. And now...
